CyberStrikeAI Compromised 600+ FortiGate Devices in 55 Countries — What Dev and Ops Teams Must Do Now

Between January and February 2026, a single AI-orchestrated campaign compromised more than 600 Fortinet FortiGate appliances across 55 countries. The tool behind it — CyberStrikeAI — is an open-source, AI-native offensive platform that chains over 100 security tools with generative AI (Claude and DeepSeek) and a web dashboard. It was first published on GitHub in November 2025. By early 2026, threat actors were using it to automate reconnaissance, credential stuffing, and full configuration extraction. The takeaway for developers and ops teams is not "AI is hacking us" but "exposed management ports and weak credentials are still the fastest path in."

What Actually Happened

CyberStrikeAI did not rely on zero-days. Attackers targeted internet-exposed management ports (443, 8443, 10443, 4443) and weak or default credentials. Once authenticated, they pulled full configuration backups containing SSL-VPN credentials, LDAP accounts, and network topology. That data was then used to pivot inside victim networks. Researchers attributed infrastructure to 21 unique IPs running the tool between 20 January and 26 February 2026, largely in China, Singapore, and Hong Kong. The tool’s author had submitted it to a Chinese state-linked programme (Knownsec 404 Starlink) in December 2025, raising the stakes for both criminal and nation-state use.

Why This Matters for Developers and Ops

If you ship or operate services that sit behind FortiGate (or any edge firewall), this campaign is a direct signal. The same pattern — exposed management interfaces plus weak auth — applies to VPN gateways, cloud consoles, CI/CD dashboards, and admin panels. AI is not replacing the need for basic hardening; it is making it easier for more attackers to find and exploit the same mistakes at scale.

Four Actions to Take Now

1. Audit internet-exposed management and admin interfaces. Identify every FortiGate (and similar) management port reachable from the internet. If you do not need it publicly reachable, restrict it to a jump host or VPN. This single step would have blocked the majority of CyberStrikeAI’s successful logins.

2. Enforce strong authentication and MFA. Default and weak credentials were the primary enabler. Require phishing-resistant MFA (hardware keys or passkeys) for all management and VPN access. Rotate any shared or default credentials immediately.

3. Harden and patch. Apply the latest Fortinet security advisories and firmware. Ensure TLS and access policies are locked down. Treat firewall configs as crown jewels: backup and integrity-check them; limit who can export or modify them.

4. Assume configs are exfiltrated. If a device was exposed and you have not yet rotated VPN and LDAP credentials, assume they are in hostile hands. Rotate every credential that could have been in a backup; review trust boundaries and segment critical assets.

The CyberStrikeAI campaign is a reminder that AI is levelling the playing field for offensive operations. Defence still comes down to visibility, least privilege, and not leaving the front door open. Teams that close management exposure and strengthen auth will stay ahead of the next wave.